Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(psa) make workloads compatible with psa:restricted profile #2820

Merged
merged 2 commits into from
Aug 2, 2022
Merged

(psa) make workloads compatible with psa:restricted profile #2820

merged 2 commits into from
Aug 2, 2022

Commits on Aug 2, 2022

  1. (psa) make workloads compatible with psa:restricted profile 

    With the introduction of [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces), the reccomeneded
best practice is to enforce the Restricted policy of admission (see [1] for more details).
This PR
*) Lables the olm namespace as `enforce:restricted`
*) Labels the operators namespace as `enforce:baseline` (to allow existing CSV deployments
without securityContext set to deploy in the namespace, which won't be possible with
`enforce:resticted`)
*) updates the securityContext of olm workload pods(olm-operator, catalog-operator,
and CatalogSource registry pods) to adhere to the `Restricted` policy.
*) updates the bundle unpacking job to create a pod that adheres to the `Restricted` policy,
so that bundles can be unpacked in the `Restricted` namespace.

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
    @anik120
    anik120 committed Aug 2, 2022
    Configuration menu
    Copy the full SHA
    08360e2 View commit details
    Browse the repository at this point in the history

  2. (flaky text fix): GC CSV with wrong namespace annotation 

    The test was modifying the `olm.operatornamespace` to an incorrect value,
and checking to make sure that the CSV was garbage collected as a result.
However, the olm-controller was copying a fresh copy back into the namespace,
so whenever the test was able to get a yes reply to the question "is the CSV
gone", in the brief window before it was copied back again, the test was passing.
This commit fixes that by making sure that if find a CSV that we expected to be
garbage collected, it passes if it determines that the CSV is a fresh copy, and
not the one modified before.

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
    @anik120
    anik120 committed Aug 2, 2022
    Configuration menu
    Copy the full SHA
    9cde3f0 View commit details
    Browse the repository at this point in the history